May 2026: M365 Copilot Information Disclosure Vulnerability
CVE-2026-26129 Published on May 7, 2026
M365 Copilot Information Disclosure Vulnerability
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Weakness Type
Improper Neutralization of Special Elements
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".
Products Associated with CVE-2026-26129
Want to know whenever a new CVE is published for Microsoft 365 Copilot Business Chat? stack.watch will email you.
Affected Versions
Microsoft 365 Copilot's Business Chat Version - is affected by CVE-2026-26129Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.